b'U.S. DEPARTMENT OF COMMERCE\n          Office of Inspector General\n\n\n\n                PUBLIC\n               RELEASE\n\n\n                OFFICE OF THE\n    CHIEF INFORMATION OFFICER\n\n           Department Is Working to Improve\nAccuracy of Reporting Y2K Compliance Status\n\n\n            Inspection Report No. OSE-10924 / March 1999\n\n\n\n\n                             Office of Systems Evaluation\n\x0cMarch 31, 1999\n\n\nMEMORANDUM FOR:               Roger W. Baker\n                              Chief Information Officer\n\n\nFROM:                         Johnnie Frazier\n                              Acting Inspector General\n\nSUBJECT:                      Final Inspection Report, Department Is Working to Improve\n                              Accuracy of Reporting Y2K Compliance Status\n                              (Report No. OSE-10924)\n\n\nThe Office of Inspector General is conducting a series of reviews of the Department of\nCommerce\xe2\x80\x99s Year 2000 (Y2K) Conversion Program. The purpose of this review was to\ndetermine whether the number of compliant systems reported to the Office of Management and\nBudget (OMB) accurately reflected the status of the Department\xe2\x80\x99s Y2K Program. We made this\ndetermination by assessing a small sample of systems reported to be compliant. We found that the\nreported number of compliant systems does not accurately reflect the status of the Department\xe2\x80\x99s\nY2K Program because the number is misleading, critical systems are not properly identified, and\nevidence is lacking to validate compliance. We are concerned that the statistics on compliant\nsystems can give the impression that bureaus are making significant progress when the most\ndifficult Y2K conversions may still remain. We are aware, however, that as the Department\xe2\x80\x99s\nnew Chief Information Officer (CIO), you have recognized these problems and instituted plans to\nresolve them. Commerce bureaus are starting to respond both to your new plan and feedback\nfrom our inspection.\n\nYour response to our draft report indicates that you agree with our observations and the intent of\nour recommendations. We summarize your response and follow-up discussions with your staff\nafter each recommendation. A copy of your full response is included as an attachment. We\nappreciate the cooperation of the Department and the bureaus\xe2\x80\x99 staff during this review. We look\nforward to continue working cooperatively with the CIO and the bureaus to increase confidence\nthat Commerce\xe2\x80\x99s operations will not be disrupted by Y2K problems.\n\nBACKGROUND\n\nMany of the Department\xe2\x80\x99s computer systems use shorthand two-digit, rather than four-digit, years\nthat will cause inaccurate computations associated with the year 2000. Unless this Y2K problem\nis fixed, there is serious risk that the Department\xe2\x80\x99s business operations will be disrupted because\n\x0cU.S. Department of Commerce                                                    Final Inspection Report OSE-10924\nOffice of Inspector General                                                                          March 1999\n\ncritical systems will not function properly. If the Department\xe2\x80\x99s critical systems are not Y2K\ncompliant then services crucial to our country\xe2\x80\x99s well-being, such as weather forecasting, the 2000\nDecennial Census, economic reporting, export license enforcement, and intellectual property\nprotection, could be jeopardized.1 Exacerbating this situation is the fact that the Y2K problem is\nso pervasive\xe2\x80\x94it could be hiding in many computer programs, computer hardware, data\nrepositories, and external data sources\xe2\x80\x94that weeding out every instance is a massive effort that\ncan strain even the best managed, financed, and technically staffed organization.\n\nIn May 1997, OMB issued a memorandum requiring government agencies to file quarterly reports\non their progress in making critical systems Y2K compliant. In November 1998, the Department\nof Commerce reported that 80 percent (367 out of 458) of its critical systems were compliant.\nThe Department compiles quarterly reports from information provided by its constituent bureaus,\nbut until recently has not been verifying this information.\n\nPURPOSE AND SCOPE\n\nThe purpose of this review was to determine whether the number of compliant systems reported\nto OMB accurately reflected the status of the Department\xe2\x80\x99s Y2K Conversion Program. We made\nthis determination by assessing the reliability of bureau information used to compile this statistic.\n\nOur approach was to determine whether a sample of systems that were claimed to be Y2K\ncompliant in the Department\xe2\x80\x99s quarterly OMB report actually were compliant.2 To make this\ndetermination, we assessed the steps taken to renovate systems to make them compliant, i.e., how\nY2K software problems were identified, fixed, and tested. Assessment of the renovation process\ncannot conclusively prove that a system determined to be compliant will be exempt from Y2K\nfailures. But it can increase confidence that the system will function properly and show that\nbureaus were diligent in handling Y2K problems. A key element of our assessment was reviewing\ntest documentation, such as test plans, test cases, and test results.\n\nWe selected systems for review from the list of critical systems that corresponded to the\nDepartment\xe2\x80\x99s April 1998 \xe2\x80\x9cQuarterly Year 2000 Report\xe2\x80\x9d to OMB, the most up-to-date report at\nthe time our inspection started. We selected program, financial, and administrative systems that\nwere reported to be compliant and that appeared to be most critical to each bureau\xe2\x80\x99s mission.\nThen we worked with bureau Y2K coordinators to confirm or revise our selections. Later in the\n\n\n         1\n          A system is \xe2\x80\x9cY2K compliant\xe2\x80\x9d if it can accurately process data associated with the century change. If it is\nimpractical to make a system compliant either by fixing Y2K errors or replacing the system, bureaus may utilize\nmanual workarounds or other alternatives to deliver, at least, a minimum acceptable level of service.\n\n         2\n          We did not assess other statistics in the quarterly report, such as the number of critical systems that have\nbeen or will be repaired.\n\n                                                          2\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-10924\nOffice of Inspector General                                                              March 1999\n\nassessment, we also tried to limit our review to systems with significant Y2K problems (e.g.,\nsystems with many calculations using two-digit years), since they pose greater risk of failure.\n\nWe interviewed Department and bureau Y2K coordinators and bureau personnel directly involved\nin making systems Y2K compliant. We assessed a total of 14 systems at 7 bureaus: Bureau of\nEconomic Analysis (3 systems), Bureau of Export Administration (1), Bureau of the Census (4),\nOffice of Administration (1), International Trade Administration (2), National Institute of\nStandards and Technology (2), and Patent and Trademark Office (1). Specific systems are listed\nin the Appendix.\n\nWe had planned to assess systems at each of the Department\xe2\x80\x99s 12 bureaus but felt it more\nimportant to report our initial observations as soon as possible. We did not assess some of the\nmost critical systems because it was already known that they were not yet compliant. Although\nwe assessed only a small sample of systems, we learned enough about the Department\xe2\x80\x99s Y2K\nConversion Program to make the following observations and conclusions. We plan to continue\nreviewing the Department\xe2\x80\x99s critical systems for Y2K compliance in the near future.\n\nThis review was carried out jointly by the OIG\xe2\x80\x99s Offices of Systems Evaluation and Audits. In a\nprevious review resulting in a memorandum issued to the Department in October 1997, the Office\nof Audits concluded that the level of departmental concern and urgency of meeting deadlines\nassociated with Y2K was inadequate. Our work during this review was conducted in accordance\nwith the Standards for Inspections issued by the President\xe2\x80\x99s Council on Integrity and Efficiency.\n\nOBSERVATIONS\n\nThe Reported Number of Compliant Systems Does Not Accurately Reflect\nthe Status of the Department\xe2\x80\x99s Y2K Program\n\nThe work effort remaining to make the Department\xe2\x80\x99s critical systems compliant cannot be\nconfidently determined from the number of compliant systems reported to OMB for several\nreasons: (1) the reported number of compliant systems is misleading, (2) critical systems were not\nproperly identified, and (3) evidence is lacking to validate compliance. However, the\nDepartment\xe2\x80\x99s new CIO has recognized these problems and has instituted more comprehensive\ntracking of Y2K program progress and more stringent testing and validation requirements.\nBureaus are starting to react to both the CIO\xe2\x80\x99s new plan and our review.\n\n       The Reported Number of Compliant Systems Is Misleading\n\nIt is widely recognized by the General Accounting Office (GAO) and others that because the Y2K\nprogram may be the largest and most complex system conversion effort undertaken by many\nfederal agencies, it requires a disciplined, coordinated approach. To manage such an effort\n\n                                                 3\n\x0cU.S. Department of Commerce                                                   Final Inspection Report OSE-10924\nOffice of Inspector General                                                                         March 1999\n\nrequires detailed and accurate program status information so that mangers can identify problems\nand remedy them by redirecting scarce resources and adjusting the program strategy. However,\nwe found that the number of compliant systems reported in the Department\xe2\x80\x99s quarterly Year 2000\nprogress report to OMB is misleading. A combination of factors biases this number: in some\ncases, bureaus reported systems to be compliant that were not; in other cases, bureaus included\nnon-critical systems that were easily made compliant.\n\nIn summary, out of 14 systems assessed, we found only 3 that not only were critical to the\nbureaus\xe2\x80\x99 core business functions but also made significant use of year-specific data. Such systems\npose the highest risk and are the kinds of systems that Y2K programs should focus on first. Two\nof the high risk systems had been renovated while the other was originally programmed to be\ncompliant. One of the two renovated systems was not compliant, and only one of the three had\ntest documentation supporting that it was compliant. The factors that bias the number of\ncompliant systems reported to OMB are discussed more fully below. The table summarizing our\nassessment is in the Appendix.\n\nCompliance inaccurately reported. Out of 14 systems assessed, we could not confirm that 3 of\nthe systems were compliant primarily because they were not thoroughly tested, particularly for\ndates in the next century. However, the risk of operational failure was low for two of the non-\ncompliant systems (Census Bureau\xe2\x80\x99s Administrative Record Processing and Basic Current\nPopulation Survey systems) because they used year data infrequently. The third non-compliant\nsystem (BXA\xe2\x80\x99s Export Control Automated Support System) used year data extensively\xe2\x80\x9475\npercent of its program modules had been renovated. After we pointed out the need for more\ntesting of this system, bureau personnel informed us that more comprehensive testing would be\nconducted.\n\nMany compliant systems were not critical. Although we selected systems from a list of\nsystems that were supposed to be critical, 5 of the 14 (36 percent) reviewed were not critical.3\nThree of the non-critical systems were from BEA and NIST, which are bureaus that chose to\ninclude all their systems, both critical and non-critical, in their OMB reports. Reporting non-\ncritical systems to be compliant overstates the success of the Y2K program. It gives the\nimpression that bureaus are making significant progress, when the most important systems may\nstill require conversion.\n\nNot all critical systems were listed. We determined that critical systems were missing from the\nlist of systems used to compile the Department\xe2\x80\x99s OMB report. For example, at the Bureau of the\nCensus, some critical systems for the 2000 Decennial Census, such as the Pre-Appointment\nManagement System/Automated Decennial Administrative Management System and the Data\n\n\n       3\n           OMB states that agencies should address their \xe2\x80\x9cmission-critical\xe2\x80\x9d systems in quarterly reports.\n\n                                                         4\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-10924\nOffice of Inspector General                                                              March 1999\n\nCapture System 2000, were simply not listed. At NOAA, critical systems for two satellite\nprograms were listed as a single system rather than individually. Not listing all critical systems\ndownplays the number of systems requiring attention. (By the end of our review, the Census\nBureau had engaged a contractor to validate the compliance of decennial systems. Also, NOAA\nwas working on making its satellite systems Y2K compliant.)\n\nMost systems required little effort to become compliant. Ten out of 11 compliant systems we\nreviewed required little or no renovation to become compliant. They were either previously\nprogrammed to be compliant or had little or no year data to read, manipulate, or display. In one\ncase, the entire renovation consisted of expanding a single year field on a printed report to four\ndigits. Because such a large percentage of systems we assessed were easy to make compliant, we\nare concerned that the OMB requirement to simply report compliance versus non-compliance can\ngive the impression that bureaus are making significant progress when the most difficult Y2K\nconversions may still remain.\n\n       Critical Systems Are Not Properly Identified\n\nBecause correcting Y2K problems can strain resources and the deadline is immovable, care must\nbe taken to address the bureaus\xe2\x80\x99 most important systems first. In its Y2K assessment guide, GAO\ndescribes a five-phase structured approach for reducing Y2K program risks that includes\nsuggestions for identifying critical systems. In the assessment phase, GAO recommends that\nagencies rank systems according to their impact on core business functions\xe2\x80\x94that is, take into\naccount what would happen to core services and products if the systems failed. Analysis of core\nbusiness functions is not only useful for identifying the most critical systems to renovate or\nreplace, but also for contingency planning in case of unforeseen Y2K-induced failures.\n\nWe found that bureaus may not have adequately performed this criticality assessment and have\nhad difficulty identifying their critical systems. As stated previously, although OMB requires\nagencies to report the status of critical systems, we found that 5 out of 14 systems were not\ncritical and that two bureaus (BEA and NIST) chose to include both critical and non-critical in\ntheir reports. In one case, a system claimed to be critical had not been run since 1995.\n\nFurther evidence that critical systems were inadequately identified comes from the Department\xe2\x80\x99s\nAugust and November 1998 quarterly OMB compliance reports. For example, in the August\nreport NOAA added 5 systems to its critical list and removed 15 others. In the November report,\nthe total number of critical systems for the Department increased by three. According to GAO,\nthis assessment phase should have been completed by the end of August 1997 to allow enough\ntime to make systems compliant by the year 2000.\n\n\n\n\n                                                 5\n\x0cU.S. Department of Commerce                                       Final Inspection Report OSE-10924\nOffice of Inspector General                                                             March 1999\n\n       Evidence Is Lacking to Validate Compliance\n\nTo determine whether systems reported to be compliant actually met compliance requirements,\nwe requested that bureaus provide us with test documentation\xe2\x80\x94test plans, test cases, and test\nresults. However, very little documentation was provided to substantiate that systems were\ncompliant. For 8 of the 14 systems we assessed (including 5 of 11 compliant systems), very little\ndocumentation was available to show that the systems were adequately tested.\n\nAlso, most bureaus did not have a process for confirming that systems were compliant. Instead,\nmost systems were simply designated compliant by the technical staff involved in making the\nsystems compliant. To increase confidence that systems are Y2K compliant and function\nproperly, they should be validated. Validation is the process of evaluating software to determine\nits compliance with requirements. Usually an independent agent, such as an internal quality\ncontrol group or an independent verification and validation contractor, assesses the renovation\nprocess (by inspecting code, reviewing test documentation, running tests, etc.) and reports its\nfindings to the manager whose business function depends on the system operating properly. If the\nreport is satisfactory, the business manager can attest to the system\xe2\x80\x99s Y2K compliance.\n\n       The Department Is Starting to Improve its Y2K Program\n\nThe new CIO has observations similar to ours about the Department\xe2\x80\x99s Y2K Program. In an\nOctober 6, 1998, memorandum to the Deputy Secretary, the CIO stated that the reported number\nof compliant systems may be \xe2\x80\x9ctoo optimistic,\xe2\x80\x9d primarily because compliance has not been\nindependently validated and operating unit heads and business mangers have been left out of the\nreporting chain. In response to these problems, the CIO (1) has required bureau heads to approve\nY2K Conversion Program status reports from information provided by their business management\nchain, (2) has set deadlines for bureaus to present status briefings to the Departments\xe2\x80\x99 Deputy\nSecretary and Chief Financial Officer and Assistant Secretary for Administration, (3) has required\nthe submission of test plans and results for every system reported to be compliant, and (4) plans\nto use an independent verification and validation contractor to help assess test documentation.\nWe believe the Department\xe2\x80\x99s focus on holding bureau management accountable and monitoring\nthe progress of the most critical systems are sound management practices that will improve the\nDepartment\xe2\x80\x99s Y2K program.\n\nCONCLUSION AND RECOMMENDATIONS\n\nAs indicated by the actions described, we believe that the Department is starting to address the\nweaknesses identified in this report by emphasizing sound business management principles in its\nY2K Conversion Program and establishing a process for validating compliance. This effort\nshould increase confidence that bureaus\xe2\x80\x99 most critical systems are selected for Y2K conversion,\n\n\n\n                                                6\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-10924\nOffice of Inspector General                                                              March 1999\n\ncompliance is substantiated, and managers receive the status information they need to manage\ntheir Y2K programs. To reinforce the CIO\xe2\x80\x99s actions, we recommend that he ensure that:\n\n1.     Bureaus are prioritizing their Y2K efforts by identifying and focusing resources on the\n       most critical systems within core business functions that have the greatest risk of Y2K\n       failures.\n\n       Synopsis of CIO\xe2\x80\x99s Response\n\n       The CIO agrees with this recommendation. The CIO will ensure that bureaus are focusing\n       on their most critical, high risk systems by first directing bureaus to identify these systems\n       and then confirming that bureaus\xe2\x80\x99 Y2K activities are focusing on them. Specifically, the\n       CIO is directing bureaus to identify their most critical systems by resubmitting system\n       inventories that include the system\xe2\x80\x99s criticality ranking, complexity, extent of Y2K\n       problems, and compliance status. As part of the CIO\xe2\x80\x99s Y2K oversight responsibilities\n       (reviewing monthly status reports, attending status briefings, etc.), he will confirm that\n       bureaus are actually focusing their current and future Y2K activities (completing\n       conversions, conducting independent validations and end-to-end tests, developing business\n       continuity and contingency plans) on their most critical, high risk systems.\n\n2.     Bureaus comply with the requirements to provide test documentation for compliant\n       systems and have operating unit heads attest that systems are compliant.\n\n       Synopsis of CIO\xe2\x80\x99s Response\n\n       The CIO agrees with the intent of this recommendation. Rather than request and review\n       system test documentation from all the bureaus, the CIO will implement this\n       recommendation by using a contractor to independently validate 40 of the Department\xe2\x80\x99s\n       most important systems and by directing bureaus to submit validation reports prepared by\n       their independent validation agents for all their mission critical systems. As part of their\n       system compliance assessments, these validation agents will review test documentation.\n       The CIO is also directing bureau heads to sign their organization\xe2\x80\x99s monthly Y2K status\n       reports. This approach is responsive to our recommendation.\n\n3.     For the quarterly OMB report, special efforts should be taken to ensure that:\n\n       a.     all critical systems are listed,\n\n       b.     non-critical systems are removed,\n\n       c.     systems previously reported to be compliant are confirmed to be compliant, and\n\n                                                 7\n\x0cU.S. Department of Commerce                                      Final Inspection Report OSE-10924\nOffice of Inspector General                                                            March 1999\n\n       d.     systems that become compliant are reported to be compliant only if they are\n              validated.\n\n       Synopsis of CIO\xe2\x80\x99s Response\n\n       The CIO agrees with the intent of this recommendation. Rather than change the\n       methodology used to report to OMB, the CIO will implement this recommendation by\n       using system inventories that are to be resubmitted by the bureaus (for Recommendation\n       1) as the basis for maintaining an accurate accounting of compliant mission critical\n       systems. To make sure that systems reported to be compliant are confirmed to be\n       compliant, the CIO will also request that bureaus indicate whether the compliance of\n       systems in the inventory have been independently validated and the method of validation.\n       This approach is responsive to our recommendation.\n\n4.     Progress of the most critical, high risk systems is monitored through frequent Department\n       reviews.\n\n       Synopsis of CIO\xe2\x80\x99s Response\n\n       The CIO agrees with this recommendation. Currently, the CIO receives a monthly report\n       from each bureau for systems at risk, that is, those systems that will miss the March 31,\n       1999 deadline for conversion. The CIO will direct bureau heads to brief him on their Y2K\n       programs in May 1999 and he will report his conclusions to the Secretary.\n\n\n\n\n                                               8\n\x0cU.S. Department of Commerce                                                       Final Inspection Report OSE-10924\nOffice of Inspector General                                                                             March 1999\n\n                                                         Appendix\n                                   Office of Inspector General\xe2\x80\x99s Assessment of\n                                    Systems Reported to be Y2K Compliant\n\n Bureau and System               Mission          Use of Year   Renovated   Test          Adequately   Compliant\n                                 Critical         Data                      Documents     Tested\n\n Bureau of Export Administration\n\n Export Control Automated        Yes              High          Yes         No            No           No\n Support System\n\n Bureau of Economic Analysis\n\n Budget Obligations and          No               Low           No (a)      Yes           Yes          Yes\n Tracking System\n\n National Stock Funds            No               I/O Only      Yes         Yes           Yes          Yes\n Processing System\n\n State and Local Government      Yes              Low           No (a)      Yes           Yes          Yes\n GDP Processing System\n\n Bureau of the Census\n\n Administrative Record           Yes              Low           No (a)      No            No           No\n Processing\n\n Industry and Occupational       No               None          No (b)      No            Yes          Yes\n Codes\n\n Basic Current Population        Yes              Low           Yes         No            No           No\n Survey\n\n Small Area Income and           No               None          No (b)      No            Yes          Yes\n Poverty Estimates\n\n National Institute of Standards and Technology\n\n Accounts Payable System         Yes              High          Yes         Yes           Yes          Yes\n\n\n Corporate Information System    No               I/O Only      Yes         Yes           Yes          Yes\n Financial Database System\n\n General Administration\n\n Time and Attendance System      Yes              I/O Only      Yes         Yes           Yes          Yes\n\n\n International Trade Administration\n\n Central Records Information     Yes              Low           No (a)      No            Yes          Yes\n Management System\n\n ITA Accounting System           Yes              Low           No (a)      No            Yes          Yes\n\n\n Patent and Trademark Office\n\n Revenue Accounting              Yes              High          No (a)      No            Yes          Yes\n Management System\n\n\n                                * See Legend and Criteria on the following page *\n\x0cU.S. Department of Commerce                                       Final Inspection Report OSE-10924\nOffice of Inspector General                                                             March 1999\n\n                                Appendix (Continued)\n                                   Legend and Criteria for\n                        Office of Inspector General\xe2\x80\x99s Assessment of\n                         Systems Reported to be Y2K Compliant\n\nMission Critical\n\nYes =         System is part of a business process that is crucial to the bureau\xe2\x80\x99s mission\nNo =          System is not part of a business process that is crucial to the bureau\xe2\x80\x99s mission\n\nUse of Year Data\n\nI/O Only =    Input/Output only (no calculations, data entry/display only)\nLow =         Few calculations\nHigh =        Many system modules affected\n\nRenovated\n\nYes =         System renovated specifically to become Y2K compliant\nNo =          System not renovated specifically to become Y2K compliant:\n              (a)   Not renovated because system was programmed to be compliant by either\n                    bureau staff or contractors\n              (b)   Not renovated because system does not use year data\n\nTest Documents\n\nYes =         Test cases and results available for review\nNo =          Test cases and results not available for review\n\nAdequately Tested\n\nYes =         System tested for current and future dates; extent of testing commensurate with\n              risk (i.e., criticality and extent of year data use)\nNo =          Systems not tested for current and future dates\n\nCompliant\n\nYes =         Adequately tested or assumed to be compliant because contractor is required to\n              deliver a Y2K compliant system (however, it may be advisable for the bureau to\n              perform additional tests)\nNo =          Not adequately tested\n\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c'